On the Security of Liaw et al.'s Scheme 



oo 
o 



(N 



Amit K Awasthi 
Department of Mathematics, 



O ' Pranveer Singh Institute of Technology 



Kanpur-208020, UP, India. 



C . Email: awasthi@psit.in 



Abstract 

Recently, Liaw et al. proposed a remote user authentication scheme using smartcards. They 
claimed a number of features of their scheme, e.g. a dictionary of verification tables is not re- 
S«i/ ■ quired to authenticate users; users can choose their password freely; mutual authentication is 

ryj ' provided between the user and the remote system; the communication cost and the computa- 

O . tional cost are very low; users can update their password after the registration phase; a session 

key agreed by the user and the remote system is generated in every session; and the nonce- 
based scheme which does not require a timestamp (to solve the serious time synchronization 
. problem) etc. 

f^} In this paper We show that Liaw et al.'s scheme does not stand with various security 

\Q , requirements and is completely insecure. 

OO 
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1 Introduction 

oo 

In insecure communication network a remote user authentication is a tool to authenticate remote 
users. Remote user authentication is a process by which a remote system gains access to the remote 
| resources. 

In 1981, Lamport 5J proposed a password based remote user authentication scheme using pass- 
word tables to verify the remote user over insecure communication channel. That scheme was not 
fulfilling the security requirements in current senario. Since the Lamport's scheme , several remote 
user authentication schemes and improvements pQ, [3], 0], [6], [8] have been proposed with and 
without smart cards. Some of these schemes are also discussed in a survey [7]. Recently, Liaw et 
al. [6] proposed a remote user authentication scheme using smart cards. Their scheme has claimed 
a number of features , e.g. a dictionary of verification tables is not required to authenticate users; 
users can choose their password freely; mutual authentication is provided between the user and the 
remote system; the communication cost and the computational cost are very low; users can update 
their password after the registration phase; a session key agreed by the user and the remote system 
is generated in every session; and the nonce-based scheme which does not require a timestamp 
(to solve the serious time synchronization problem) etc. In this paper We show that Liaw et al.'s 
scheme has many security holes and is completely insecure. 

2 The Liaw et al.'s scheme 

The scheme consists of five phases: registration, login, verification, session and password change. 
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2.1 Registration phase 

A new user Ui submits identity IDi and password PWi to the remote system for registration. The 
remote system computes 1/,'s secret information Vi = h{IDi,x) and = Vi © PW„ where x is a 
secret key maintained by the remote system and h(-) is a secure one-way hash function. Then the 
remote system writes h(-) and e» into the memory of a smart card and issues the card to Ui. 

2.2 Login phase 

When Ui wants to log into the remote system, he/she inserts the smart card into the terminal and 
enters IDi and PWi. The smart card then performs the following operations: 

LI. Generate a random nonce JVj and compute Cj = h(et (B PWi, Ni). 

L2. Send the login message < IDi, Ci,Ni > to the remote system. 

2.3 Verification phase 

To check the authenticity of < IDi, Ci,Ni >, the remote system checks the validity of IDi. If IDi 
is valid, computes v[ = h(IDi,x) and checks whether d — h(v'i,Ni). Then generates a random 
nonce N s , encrypts the message M = E v > (Ni, N s ) and sends it back to the card. 
The smart card decrypts the message D ei ^pWi{M) and gets (N!,N' S ). Then verifies whether N! = 
Ni and N' s — N s . If these checks hold valid, the mutual authentication is done. 

2.4 Session phase 

This phase involves two public parameters q and a where q is a large prime number and a is a 
primitive element mod q. The phase works as follows: 

51. The remote system computes Si = a Ns mod q and sends Si to the smart card. The smart 
card computes Wj = a Ni mod q and sends Wi to the remote system. 

52. The remote system computes K s — (Wi) Ns mod q and, the smart card computes K u = (Si) Ni 
mod q. It is easy to see that K s = K u . Then, the card and the remote system exchange the 
data using the session key and e%. 

2.5 Password change phase 

With this phase Ui can change his/her PWi by the following steps: 

51. Calculate e'^a® PWi ® PW(. 

52. Update a on the memory of smart card to set e-. 

3 Security Weaknesses 

1. In registration phase user Ui submits its identity IDi and Password PWi to the remote system. 
Medium of communication is not described. Is it secure or insecure. In real problems, user 
normally uses insecure channel. In such case password PWi is reveled to adversary A in 
between. 

2. In Login phase, when user Ui keys his identity IDi and Password PWi, smartcard computes 
a login message < IDi,d,Ni >, Where is a random nonce and d = h(ei ® PWi,Ni). 
This login message travels through insecure public channels. The adversary A can intercepts 
the valid login request < IDi, Ci,Ni >. 
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Now, with this infomation, advesary A can play replay attack. He sends < IDi,Ci, N{ > to 
the remote system at any time, as a login request . To validate < ID i7 Cj, iVj >, the remote 
system does the following: 

- Checks the validity of IDi. 

- Computes v[ = h(IDi,x) and checks whether d = h(v'i,Ni). Note this point, there is 
no check at the server side which prevents the reuse of nonce Ni , which was already used 
in some previous login. Thus the server is unable to decide whether the d is coming 
from a legitimate user or from an adversary. It is obvious that system authenticates the 
login request. 

- The remote system generates a nonce N* and encrypts the message M — E v i (N, N*), 
then sends < M > back to the communicating party (that is advesary A here and is 
impersonating the legtimate user). 

- Now, A will just reply 'OK' and will enjoy the access to the remote system. Therefore, 
ultimately the concept of mutual authentication fails on both side. 

3. In above paragraph, adversary A, has knowledge of login request < IDi,Ci, N >. If he is 
able to access user's smartcard any how, he can recover the infomation a, which is stored on 
smartcard. Now having knowledge of d and a, the adversary can perform offline attack, as 
he knows Three variables of the equation C\ = h(e.i © PWi, Ni). He can hit and try various 
combination of passwords. 

4. Session phase of Liaw et al.'s scheme is suffered from man-in-the-middle attack while the user 
and server are establishing common session key. It works as - 

1. The remote system computes xs = a N " mod q and communicates xs- The adversary 
A computes xa = ct Ni mod q and sends Xj\ to the remote system. 

2. The remote system computes K s = (xj[) N = mod q and A computes K a — (xg) Ni mod q. 
It is easy to see that K s = K a . Now with the help of other public parameters adversary 
can communicate with server in encrypted way. 

4 Conclusion 

In this paper, we have shown various security holes of the Liaw et al.'s scheme. 
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